Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month, 1 week
slapd-meta
by Fr3ddie
Hello to the list,
I'm trying to configure the slapd-meta OpenLDAP backend on an online
cn=config
configuration with no luck. Slapd version is 2.4.39 (the maximum I can
achieve on the target machines building from vanilla source).
The documentation is clear but too concise for me so I will try to explain
what I'm trying to do to see if there is anybody that can help me.
Currently I have 3 slapd servers that share a common root for the DIT, i.e.:
dc=loc1,dc=root
dc=loc2,dc=root
dc=loc3,dc=root
What I would like to achieve is to obtain a fourth server that contains
the previous trees, along with its own tree, i.e. a server that contains:
dc=loc0,dc=root (locally hosted data)
dc=loc1,dc=root (coming from the first server, chasing referrals)
dc=loc2,dc=root (coming from the second server, chasing referrals)
dc=loc3,dc=root (coming from the third server, chasing referrals)
this way, all the clients connecting to this server will be able to
retrieve data also from the other three remote servers.
As far as I understood, I only need to configure the "loc0" server to access
the other three servers and get the data to serve to clients.
I have already configured the fourth server with its local DIT and this is
the configuration:
# cat 'cn=config.ldif'
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
structuralObjectClass: olcGlobal
creatorsName: cn=config
olcServerID: 1
olcThreads: 32
olcToolThreads: 8
olcRequires: LDAPv3
olcConnMaxPendingAuth: 100
olcTLSCACertificateFile: /etc/ssl/certs/my_ca_cert.pem
olcTLSCertificateFile: /etc/ssl/certs/this-host_x509_cert.pem
olcTLSCertificateKeyFile: /etc/ssl/private/this-host_x509_key.key
olcTLSVerifyClient: try
olcTimeLimit: 600
olcLogLevel: stats2 sync
[...]
# cat 'cn=module{0}.ldif'
dn: cn=module{0}
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}accesslog
structuralObjectClass: olcModuleList
[...]
Schema files are the following:
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}dyngroup.ldif
cn={5}kerberos.ldif
# cat 'olcDatabase={1}hdb.ldif'
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=loc0,dc=root
olcAccess: {0}to
attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn
=admin,dc=loc0,dc=root" write by anonymous auth by self write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=loc0,dc=root" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=loc0,dc=root
olcRootPW:: xxxxxxxxxxxxxxxxxxxx
olcDbCacheSize: 10000
olcDbCheckpoint: 512 10
olcDbConfig: {0}set_cachesize 0 524288000 1
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
olcDbIDLcacheSize: 30000
olcDbIndex: default pres,eq
[...]
structuralObjectClass: olcHdbConfig
olcSyncrepl: {0}rid=0 provider=ldap://second-host.loc0.root
bindmethod=s
imple binddn="cn=admin,dc=loc0,dc=root" credentials=xxxxxx
searchbase="dc=loc0,dc=root"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObj
ect)(reqResult=0))" schemachecking=on type=refreshAndPersist
retry="60 +" syn
cdata=accesslog starttls=yes
olcMirrorMode: TRUE
[...]
On top of this DB I have the "syncprov" and the "accesslog" overlays
configured
(these are two servers in "MirrorMode", configured following the
OpenLDAP admin documentation).
I believe this DB is the ones containing the actual "loc0" DIT data...
Then I have the accesslog DB for the replica (with the syncprov overlay
on top):
# cat 'olcDatabase={2}hdb.ldif'
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=loc0,dc=root
olcDbConfig: {0}set_cachesize 0 524288000 1
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbConfig: {4}set_flags DB_LOG_AUTOREMOVE
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
[...]
On top of this environment I start loading the needed modules with this
LDIF file:
version: 1
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_ldap
-
add: olcModuleLoad
olcModuleLoad: back_meta
-
add: olcModuleLoad
olcModuleLoad: rwm
and it seems I'm able to load the new modules without errors
into the configuration, thus I obtain:
# cat 'cn=module{0}.ldif'
dn: cn=module{0}
structuralObjectClass: olcModuleList
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}accesslog
olcModuleLoad: {3}back_ldap
olcModuleLoad: {4}back_meta
olcModuleLoad: {5}rwm
[...]
Now I try to load the slapd-meta directives into a new database using
this LDIF:
version: 1
dn: olcDatabase={3}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {3}meta
olcSuffix: dc=root
olcDbURI: "ldap://server-loc1.loc1.root/dc=loc1,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc1,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
olcDbURI: "ldap://server-loc2.loc2.root/dc=loc2,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc2,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
olcDbURI: "ldap://server-loc3.loc3.root/dc=loc3,dc=root"
olcDbIdAssertBind: bindmethod=simple
binddn="cn=admin,dc=loc3,dc=root" credentials=xxxxxx starttls=yes
tls_reqcert=demand
but I obtain an error that sticks me trying various combinations without
success:
# ldapadd -Y EXTERNAL -H ldapi:/// -f slapd-META-DB-CREATION.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase={3}meta,cn=config"
ldap_add: Object class violation (65)
additional info: attribute 'olcDbURI' not allowed
and:
# tail /var/log/openldap/slapd.log
Nov 9 19:47:17 server01 slapd[32392]: conn=1025 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:47:29 server01 slapd[32392]: conn=1052 op=2 INTERM
oid=1.3.6.1.4.1.4203.1.9.1.4
Nov 9 19:49:47 server01 slapd[32392]: conn=1327 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:52:17 server01 slapd[32392]: conn=1628 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:54:46 server01 slapd[32392]: conn=1929 op=2 ENTRY
dn="dc=loc0,dc=root"
Nov 9 19:57:07 server01 slapd[32392]: Entry
(olcDatabase={3}meta,cn=config), attribute 'olcDbURI' not allowed
Into the slapd-meta documentation the "URI" directive is mentioned but
the "DbURI" seems to
raise a "better error", in fact if I try to modify the above LDIF file
using "URI" I obtain:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase={3}meta,cn=config"
ldap_add: Undefined attribute type (17)
additional info: olcUri: attribute type undefined
Moreover, it is not stated into the slapd-meta docs that the slapd-ldap
backend is needed by slapd-meta but,
anyway, I think its needed because if I try to load the slapd-meta alone
it raises an error (I don't remember exactly which one).
At this point I'm stuck to this error and I wasn't able to find any hint
on the web to solve this :(
The examples I was able to find were related with the static slapd.conf
configuration, I counldn't
find any "full" configuration example using the cn=config.
I'm wondering if I should create a "cn=root" actual DB first and then
link the sub-DITs to it,
or, maybe, add some other overlay... I really can't understand how it
should work :(
Can please anybody help me?
Thank you very much
7 years, 1 month
Using LMDB safely with fork() and exec()
by Lorenz Bauer
Hello List,
The LMDB documentation says the following in its section on caveats:
> * Use an MDB_env* in the process which opened it, without fork()ing.
> * Do not have open an LMDB database twice in the same process at the same time. Not even from a plain open() call - close()ing it breaks flock() advisory locking.
This seems contrary to an earlier thread on this list (1), which
suggests that fork/execing a process using LMDB is OK so long as the
MDB_env is not used in the forked process. Looking at the flock man
pages on FreeBSD and Linux tells me that this indeed should be ok: an
flock is released only when all fds pointing to the open file table
entry are closed (ignoring explicit unlock). Exec with FD_CLOEXEC set
should therefore be OK.
Is my interpretation correct? I want to use this to implement graceful
restarts in a daemon which uses LMDB:
* mdb_env_open() in old process
* fork() -> exec() the daemon itself
* mdb_env_open() in new process
* mdb_env_close() in old process
If this works, I'd like to contribute the changes necessary to not
leak fds on exec, which are mentioned in the other thread.
* Are there contribution guidelines somewhere? How do I submit a patch?
* Seems like there is currently no call to SetHandleInformation with
HANDLE_FLAG_INHERIT=0 for Winows, should that be added?
Best,
Lorenz
1: http://www.openldap.org/lists/openldap-technical/201403/msg00149.html
7 years, 2 months
Documentation Feedback
by Tom Jay
Hello,
I would like to voice my frustration with the quality of the openLDAP documentation. I am compiling openLDAP from source on Debian 7, and have spent about 2-3 continuous days getting to the point where I can add an LDAP user with a UID. I have been close to giving up with the software, but need it for the LDAP functionality, and as very few viable alternatives exist, have been forced to continue with the installation. I have however almost lost confidence in the product, and am concerned that if there are any problems with it in the future, or I want to enable another feature, I will be almost helpless in getting it to work.
The main problem is the Quick-Start Guide. This is anything but quick, and forces the user to consult the less-than-succinct Admin guide. The two together are inconsistent, difficult to follow and do a poor job of explaining what each feature does. The accessibility of information is less than optimal, which means that the user has to look elsewhere, consuming even more time. Unfortunately, there is not much relevant information on the Internet, forcing the user to get stuck in an almost endless loop of checking documentation, testing, reading manuals, and searching on the Internet, in order to get some kind of idea how the software works and what needs to be done to get it working.
I would offer to contribute to the documentation, but due to its lack of usefulness, do not have an understanding of the basic concepts myself. The best I would be able to do is describe my experience and provide the steps that I followed to get a basic installation working.
Hopefully someone can volunteer the time to test the documentation, in the same way a new user would!
Tom
7 years, 2 months
UNKNOWN attributeDescription "ATTRIBUTE1" inserted
by PenguinWhispererThe
Hi all,
I've been trying to update a schema with new olcAttributeTypes and modified
an existing objectClass (X) so these attributesTypes may be used with it.
However after adding these attributes to objectClass X I did a "rollback"
(replacing the current olcObjectClasses (replace: olcObjectClasses) with
the old definition and the same for the olcAttributes (replace:
olcAttributeTypes).
I think somewhere along the way something wasn't cleaned up properly.
Now when I start slapd service I get:
slapd[21335]: UNKNOWN attributeDescription "ATTRIBUTE1 " inserted.
slapd[21335]: UNKNOWN attributeDescription "ATTRIBUTE2" inserted.
slapd[21335]: [66B blob data]
With slapschema:
UNKNOWN attributeDescription "ATTRIBUTE1 " inserted.
UNKNOWN attributeDescription "ATTRIBUTE2" inserted.
UNKNOWN attributeDescription "ATTRIBUTE3
With slapcat I can't find anything that's matching these names.
When I grep in the mdb file grep says the binary file is matching.
However when I ldapsearch for the attribute I can't find it.
Neither with slapcat.
Note that I replaced the actual attribute names in the posted output.
So I think I might have some data in that mdb that's not linked to anything
anymore.
So my question is: how can I clean this up? And/or what did/went wrong?
Thanks in advance for your help.
7 years, 3 months
Should I use OpenLDAP or PostgreSQL for this?
by John Lewis
I want to start a project to document my local government starting at
the municipal level and going upwards from there. I want to build an
interface to allow people to look up their representatives and their
public servants by issue and geographic area or issue and get their
contact information back.
I want it to to have fast lookups so community organizers will come to
my site first they want to find out who does what. I would also like it
to be able to scale geographically so I can get local activist could
have their own copy of the database on a local server that they can also
delegate access to. I would like to delegate updates to a development
version of the database to other people similar to Open Street Map, but
I would still like to verify changes so there won't be a flood of bad
data. The presentation and the data storage will be separate components.
Knowing this information could you tell me what data management engine
would be more appropriate for the task?
7 years, 3 months
Re: Should I use OpenLDAP or PostgreSQL for this?
by Howard Chu
John Lewis wrote:
> I want to start a project to document my local government starting at
> the municipal level and going upwards from there. I want to build an
> interface to allow people to look up their representatives and their
> public servants by issue and geographic area or issue and get their
> contact information back.
>
> I want it to to have fast lookups so community organizers will come to
> my site first they want to find out who does what. I would also like it
> to be able to scale geographically so I can get local activist could
> have their own copy of the database on a local server that they can also
> delegate access to. I would like to delegate updates to a development
> version of the database to other people similar to Open Street Map, but
> I would still like to verify changes so there won't be a flood of bad
> data. The presentation and the data storage will be separate components.
>
> Knowing this information could you tell me what data management engine
> would be more appropriate for the task?
I have a strong suspicion that OpenLDAP will be the superior solution for this
problem, but you can't say definitively, based on a brief description. I would
suggest you start to draw out on paper the types of information you plan to
store, and group the related items together. This will give you some idea of
what your basic DB records will contain. Then draw out what kinds of search
operations you plan to support, or what kinds of data you expect users to be
able to retrieve. Figure out what natural interconnections and relationships
exist between your records.
Most real world problem sets don't break down into 100% pure tabular data
structures, nor do they break down into 100% pure hierarchical structures. But
if you find there's a natural hierarchy like
geographic area
county
municipality
as I said before, I would suspect that the hierarchical structure will be a
more natural fit. Also, given your requirement to scale out geographically -
this is trivial to do with OpenLDAP; it is quite cumbersome to do with SQL
servers.
>
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
7 years, 3 months
Change Defaulth ssha passoword encryption algorithm
by Net Warrior
Hi Guys
I need some guidance on this, I configured a ppolicy for a DIT which has
all the users in plain password, I added to following to the policy
changetype: modify
replace: olcPPolicyHashCleartext
olcPPolicyHashCleartext: FALSE
When the user reset it password, it changes from clear password to
encrypted using ssha but I want to store them using md5crypt, what do I
need to change in my configuration?
Thank you very much for your time and support
Regards
7 years, 3 months
contextCSN attribute update on replication
by Óscar Remírez de Ganuza Satrústegui
Good morning,
I am writting from IT Services from Universidad de Navarra.
We have recently upgraded our openldap servers from openldap 2.4.34 with
BDB 5.3.21 to openldap 2.4.44 with MDB databases.
We have got configured replication from the master server [1] to some slave
servers [2] (syncrepl refreshAndPersist), and it is working ok.
Usually, when a change is made on master server, I can see how it is
propagated and applied on the slave server. Using Auditlog Overlay I can
see on the slave server:
# modify 1470723918 dc=base,dc=com cn=Admin,dc=base,dc=com conn=-1
dn: ...
changetype: modify
replace:
[..]
# end modify 1470723918
And just after that, the contextCSN gets updated too:
# modify 1470723918 dc=base,dc=com cn=Admin,dc=base,dc=com conn=-1
dn: dc=base,dc=com
changetype: modify
replace: contextCSN
contextCSN: 20160809062518.877725Z#000000#000#000000
-
# end modify 1470723918
Is this the normal behaviour?
I do not see the contextCSN update on the accesslog database on the master
server, nor on his Auditlog.
So I do not know if contextCSN has been replicated from the master server,
or the slave database is updating it.
But I am seeing some weird things from time to time: sometimes, somehow,
the contextCSN attribute does not get updated after the modification.
Checking its value in the master server, I can see that it has been updated
correctly, but not on the slave server.
The strange thing is that it happens just like once every tens of changes.
Could it be some kind of bad configuration??
On the previous openldap version, we were checking contextCSN value on
master and slave servers in order to check the replication status. But
right now, although replication is working ok, sometimes the contextCSN
does not get updated on the slave sever, so we can not use it in order to
check the replication status.
Thank you so much for your help.
Regards,
[1] Master:
* Accesslog Database:
database mdb
maxsize 1073741824
suffix cn=log
directory /../openldap/var/accesslog
rootdn "cn=Admin,dc=base,dc=com"
index objectClass eq
index entryCSN eq
index reqEnd eq
index reqResult eq
index reqStart eq
index reqDN eq
index default eq
overlay syncprov
syncprov-reloadhint true
syncprov-nopresent true
* Main Database overlays:
overlay syncprov
syncprov-checkpoint 1000 60
overlay accesslog
logdb cn=log
logops writes
logsuccess true
logpurge 14+00:00 01+00:00
[2] Slave:
syncrepl rid=1
provider="ldap://ldap-master.base.com:389/"
type=refreshAndPersist
retry="60 10 300 +"
searchbase="dc=base,dc=com"
logbase="cn=log"
syncdata=accesslog
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
scope=sub
schemachecking=off
binddn=...
*Oscar Remírez de Ganuza Satrústegui*
IT Services
Universidad de Navarra
Tel. +34 948425600 x803130
http://www.unav.edu/web/it/
7 years, 3 months
openldap stops responding after some time
by Daniel Betz
Hello list,
i hope you can help me with my problem.
To my setup:
All servers are OpenLDAP 2.4.42
I have an master LDAP server, which replicates with standard syncrepl to an consumer ldap.
On this consumer ldap server i have configured an standalone slapd proxy ldap with slapd-ldap which pushes changes to more than 6000 consumer ldaps.
There are more ldap proxys running, with each 500 consumers to reduce startup time.
The master and slave are connected via TCP, and the ldap proxys are on the slave via socket.
Everything works fine and changes are replicated in realtime to the consumers behind the proxy, but after some time ( about 20 to 30 minutes ) the slave ldap just hangs and isnt responding anymore.
A short time before it hangs the changes are pushed with an long delay, before it hangs fully.
With debug on ( -d256 ) everything looks fine and no error is displayed, but it hangs.
I have tested the standard syncrepl and delta syncrepl with the same result. When strace the process there are only many futex_wait()
While i write this mail the error doesnt occur, so i am not able to paste an strace.
So then. Has anyone an idea to this problem or an better solution for my setup ?
Any hints to debug this, or some tips and tricks would be really nice.
Here are the relevant configuration settings of all servers:
## all ldap servers are started with extended limits in systemd
LimitCORE=0
LimitNPROC=5000000
LimitNOFILE=65535
LimitSTACK=81920
LimitDATA=infinity
LimitMEMLOCK=infinity
LimitRSS=infinity
LimitAS=infinity
and: echo 5000000 > /proc/sys/kernel/threads-max
Cause limits in openldap itself i have patched it too:
diff -rNu openldap-2.4.42.orig/libraries/libldap_r/tpool.c openldap-2.4.42/libraries/libldap_r/tpool.c
--- openldap-2.4.42.orig/libraries/libldap_r/tpool.c 2015-08-31 08:26:55.000000000 +0200
+++ openldap-2.4.42/libraries/libldap_r/tpool.c 2015-08-31 07:39:25.000000000 +0200
@@ -42,10 +42,10 @@
/* Max number of thread-specific keys we store per thread.
* We don't expect to use many...
*/
-#define MAXKEYS 32
+#define MAXKEYS 65535
/* Max number of threads */
-#define LDAP_MAXTHR 1024 /* must be a power of 2 */
+#define LDAP_MAXTHR 65535 /* must be a power of 2 */
/* (Theoretical) max number of pending requests */
#define MAX_PENDING (INT_MAX/2) /* INT_MAX - (room to avoid overflow) */
diff -rNu openldap-2.4.42.orig/servers/slapd/daemon.c openldap-2.4.42/servers/slapd/daemon.c
--- openldap-2.4.42.orig/servers/slapd/daemon.c 2015-08-31 08:25:42.000000000 +0200
+++ openldap-2.4.42/servers/slapd/daemon.c 2015-08-31 07:42:02.000000000 +0200
@@ -1635,6 +1635,7 @@
#else /* ! HAVE_SYSCONF && ! HAVE_GETDTABLESIZE */
dtblsize = FD_SETSIZE;
#endif /* ! HAVE_SYSCONF && ! HAVE_GETDTABLESIZE */
+ dtblsize=8192;
/* open a pipe (or something equivalent connected to itself).
* we write a byte on this fd whenever we catch a signal. The main
And raised the max integer numbers of syncrepl´s rid=
### Master ###########
loglevel 0
sizelimit unlimited
database mdb
suffix "o=company, c=de"
rootdn "cn=Manager,o=company,c=de"
rootpw "xxxxxxxxxxxxxxxxxxxxxxxx"
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 1000
index DFan,DFname,uid,uidNumber,gidNumber,DFCronjobID eq
index entryUUID,entryCSN eq
index objectClass eq
directory /var/lib/ldap/openldap-mdb
maxsize 8500000000
#### Slave ##################
loglevel 0
threads 2048
database mdb
suffix "o=company, c=de"
rootdn "cn=Manager,o=company,c=de"
rootpw "xxxxxxxxxxxxxxxxxxxx"
# here are all consumer ldap servers one by one
access to dn.subtree="sid=240,sec=webhosting,o=company,c=de"
by dn.exact="cn=replicator,sid=240,sec=webhosting,o=company,c=de" write
by * auth
access to dn.subtree="sid=241,sec=webhosting,o=company,c=de"
by dn.exact="cn=replicator,sid=241,sec=webhosting,o=company,c=de" write
by * auth
access to dn.subtree="sid=242,sec=webhosting,o=company,c=de"
by dn.exact="cn=replicator,sid=242,sec=webhosting,o=company,c=de" write
by * auth
...
...
index DFan,DFname,uid,uidNumber,gidNumber,DFCronjobID eq
index entryUUID,entryCSN eq
index objectClass eq
directory /var/lib/ldap/openldap-mdb
syncrepl rid=001
provider=ldaps://ldapmaster:636/
binddn="cn=Manager,o=company,c=de"
bindmethod=simple
credentials=xxxxxxxxxxxxxxxxxxxxxx
searchbase="o=company,c=de"
type=refreshAndPersist
retry="5 5 300 5"
overlay syncprov
syncprov-checkpoint 1000 60
maxsize 8500000000
maxreaders 12000
##### SLAPD Proxy #####################
database ldap
hidden on
suffix "sid=240,sec=webhosting,o=company,c=de"
rootdn "cn=replicator,sid=240,sec=webhosting,o=company,c=de"
uri ldaps://sid240.int.webslave.company.de:636
lastmod on
restrict all
acl-bind bindmethod=simple
binddn="cn=replicator,sid=240,sec=webhosting,o=company,c=de"
credentials="xxxxxxxxxxxxxxxxxxxxx"
syncrepl rid=001
provider=ldapi://
binddn="cn=Manager,o=company,c=de"
bindmethod=simple
credentials=xxxxxxxxxxxxxxxxxxxxxxxxx
searchbase="sid=240,sec=webhosting,o=company,c=de"
type=refreshAndPersist
retry="5 5 300 5"
overlay syncprov
# next one
database ldap
hidden on
suffix "sid=241,sec=webhosting,o=company,c=de"
rootdn "cn=replicator,sid=241,sec=webhosting,o=company,c=de"
uri ldaps://sid241.int.webslave.company.de:636
lastmod on
restrict all
acl-bind bindmethod=simple
binddn="cn=replicator,sid=241,sec=webhosting,o=company,c=de"
credentials="xxxxxxxxxxxxxxxxxxxxx"
syncrepl rid=001
provider=ldapi://
binddn="cn=Manager,o=company,c=de"
bindmethod=simple
credentials=xxxxxxxxxxxxxxxxxxxxxxxxx
searchbase="sid=241,sec=webhosting,o=company,c=de"
type=refreshAndPersist
retry="5 5 300 5"
overlay syncprov
...
#### and the 6300 consumers on the end ###############
database mdb
suffix "sid=240,sec=webhosting,o=company,c=de"
rootdn "cn=replicator,sid=240,sec=webhosting,o=company,c=de"
rootpw {SSHA}xxxxxxxxxxxxxxxx
index DFan,DFname,DFdnumber,sid,uid,uidNumber,gidNumber,DFCronjobID eq
index objectClass eq
index entryUUID,entryCSN eq
directory /var/lib/ldap/openldap-mdb/sid240
updatedn "cn=replicator,sid=240,sec=webhosting,o=company,c=de"
maxsize 1073741824
subordinate
updateref ldaps://ldapmaster:636
database mdb
suffix "o=company,c=de"
rootdn "cn=Manager,o=company,c=de"
rootpw {SSHA}xxxxxxxxxxxxxxxx
index objectClass eq
directory /var/lib/ldap/openldap-mdb/rest
Regards,
Daniel Betz
System Design Engineer / Senior Systemadministration
___________________________________
domainfactory GmbH
Oskar-Messter-Str. 33
85737 Ismaning
Germany
Telefon: +49 (0)89 / 55266-364
Telefax: +49 (0)89 / 55266-222
E-Mail: dbetz(a)df.eu
Internet: www.df.eu
Registergericht: Amtsgericht München
HRB-Nummer 150294, Geschäftsführer:
Tobias Mohr, Stephan Wolfram
7 years, 3 months
